Who: La Commission nationale de l’informatique et des libertés (“CNIL”) and Vectaury S.A.S. (“Vectaury”)
Where: France
When: 30 October 2018
Law stated as at: 28 November 2018
What happened:
The French data protection authority, CNIL, has issued a formal notice to a mobile adtech platform that its consent management platform does not comply with the consent requirements under the General Data Protection Regulation (the “GDPR”).
Vectaury’s product
Vectaury offers technology that retail partners can integrate into their mobile apps. The technology allows Vectaury to collect geolocation data (as well as other device and browser information). This data is analysed and matched up with certain geographic points of interests (such as the partner’s physical stores) to measure visits to the retailer’s points of sale and to drive in-store retail traffic through the serving of ads.
Vectaury’s technology, implemented by publishers via an SDK, involves a Consent Management Platform (CMP), which allows users to manage their privacy consents. This CMP implements the Interactive Advertising Bureau’s (IAB) framework. It provides a short notice explaining that the users’ browsing history and geolocation is gathered for targeted marketing purposes, and gives users the option to either accept or customise their preferences (the latter leading to a menu where the user can accept or reject the use of certain categories of data). However, CNIL concluded that the CMP did not meet the GDPR’s consent requirement.
CNIL’s objections
CNIL concluded that, “It is clear that Vectaury is unable to demonstrate that the data currently collected through real time bid requests are subject to informed, free, specific, and unambiguous consent” for the following reasons:
- Vectaury’s CMP consent is not sufficiently informed because the text shown in the app (“we and our partners ask your permission to collect personal information such as your browsing or location data. This enables us both to provide free access to our services and deliver ads in non-intrusive formats.”) lacks transparency, includes imprecise and complex terms, may lead users to believe that refusing data collection will lead to a charge, the inability to use the app, or more intrusive ads to be served and does not immediately identify all partners with whom the data is shared;
- Vectaury’s consent is insufficiently specific in light of the requirements of the GDPR and guidance issued by the Article 29 Working Party (now the European Data Protection Board). In particular, users are only able to consent or reject relatively broad categories of data uses; the types of processing which the user supposedly consents to were deemed not to be granular enough to allow the user to make a free choice in respect of each type of processing, and there was no specific consent for the use of geolocation data for marketing purposes; and
- Vectaury’s CMP does not allow for consent to be expressed through positive action, particularly as the specific purposes to which a user ‘consented’ were pre-selected by default.
Vectaury has been given three months to carry out the following tasks:
- delete all data obtained without informed, specific and actively expressed consent; and
- not process personal geolocation data for targeted advertising purposes without a legal basis. In particular, any consent relied upon needs to comply with Articles 6 and 7 of the GDPR.
No sanctions have been imposed or announced, subject to compliance with the above requirements.
Why this matters:
This is the fourth enforcement notice issued by CNIL in the past few months in the mobile ad tech space and enforces key GDPR principles. It will be interesting to see if other regulators, such as the ICO, start focussing on this area too.
The worrying thing for adtech providers, as well as publishers which adopt their technologies, is that CNIL did not deem the IAB framework to be sufficient for obtaining GDPR level consent. This framework is relied on by numerous data controllers who operate on the basis of consent, particularly in a cookie context. If other national regulators start to adopt similar positions as CNIL, it could be back to the drawing board for working out how to manage consents.
The decision was not intended to be a general finding that adtech companies are not allowed to externalise the obtaining of consent to publishers. Nor did the CNIL enforcement notice state that consent needed to be relied on as the lawful grounds for processing geolocation data in these circumstances by Vectaury – it was simply the ground which Vectaury had chosen, and so CNIL’s finding was in the context of Vectaury already having made this choice.
Nevertheless, CNIL did note that a controller relying on consent cannot simply point to contractual provisions requiring a third party to obtain valid consent (in this case the publisher and any ‘supply side platforms’ that formed part of the chain of consent to Vectaury) as sufficient to meet the consent requirements of Article 7 of the GDPR. CNIL declared that Vectaury must be able to demonstrate, for the entirety of the personal data it is processing at any moment, the validity of the consent obtained. As such, data controllers must be prepared to evidence this consent and so must get comfortable that the tools used to obtain the consent are structured in such a way that the consent is valid and can be demonstrated. In practice, this is a very challenging thing to do, and could give the adtech industry somewhat of a headache.